Openvpn

TLS 密鑰協商在 OpenVPN Windows 10 客戶端與 OpenVPN Arch Linux 伺服器中發生失敗

  • December 18, 2019

我無法設置OpenVPN客戶端,伺服器在VPSArch Linux 上,並且有另一個 Arch Linux 客戶端可以正常工作。

我試圖向網路添加一個OpenVPN客戶端 Windows 10,與 Arch 客戶端具有相同的 .conf。我也嘗試將伺服器更改為 TCP 和埠 443,同樣的事情發生了。

server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert servername.crt
key servername.key
dh none
ecdh-curve secp521r1
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-crypt ta.key # tls-auth ta.key 0
#cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

client.conf:

client
dev tun
proto udp
remote IPADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert proyectapc.crt
key proyectapc.key
remote-cert-tls server
tls-crypt ta.key # tls-auth ta.key 1
cipher AES-256-CBC
#cipher AES-256-GCM
auth SHA512
#tls-version-min 1.2
#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
verb 3

伺服器的初始化日誌OpenVPN

Wed Dec 18 04:10:15 2019 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Wed Dec 18 04:10:15 2019 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Dec 18 04:10:15 2019 ECDH curve secp521r1 added
Wed Dec 18 04:10:15 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 04:10:15 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 04:10:15 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 04:10:15 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 04:10:15 2019 ROUTE_GATEWAY 192.99.152.1
Wed Dec 18 04:10:15 2019 TUN/TAP device tun0 opened
Wed Dec 18 04:10:15 2019 TUN/TAP TX queue length set to 100
Wed Dec 18 04:10:15 2019 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Dec 18 04:10:16 2019 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 18 04:10:16 2019 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 18 04:10:16 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 18 04:10:16 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 18 04:10:16 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 18 04:10:16 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Dec 18 04:10:16 2019 MULTI: multi_init called, r=256 v=256
Wed Dec 18 04:10:16 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Dec 18 04:10:16 2019 ifconfig_pool_read(), in='terminator,10.8.0.4', TODO: IPv6
Wed Dec 18 04:10:16 2019 succeeded -> ifconfig_pool_set()
Wed Dec 18 04:10:16 2019 IFCONFIG POOL LIST
Wed Dec 18 04:10:16 2019 terminator,10.8.0.4
Wed Dec 18 04:10:16 2019 Initialization Sequence Completed

客戶端初始化日誌OpenVPN

Wed Dec 18 10:12:02 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Wed Dec 18 10:12:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 18 10:12:02 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Wed Dec 18 10:12:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 18 10:12:02 2019 Need hold release from management interface, waiting...
Wed Dec 18 10:12:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'state on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'log all on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'hold off'
Wed Dec 18 10:12:03 2019 MANAGEMENT: CMD 'hold release'
Wed Dec 18 10:12:03 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 10:12:03 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 10:12:03 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 18 10:12:03 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 18 10:12:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]IPADDRESS:1194
Wed Dec 18 10:12:03 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 18 10:12:03 2019 UDP link local: (not bound)
Wed Dec 18 10:12:03 2019 UDP link remote: [AF_INET]192.99.152.152:1194
Wed Dec 18 10:12:03 2019 MANAGEMENT: >STATE:1576660323,WAIT,,,,,,
Wed Dec 18 10:12:03 2019 MANAGEMENT: >STATE:1576660323,AUTH,,,,,,
Wed Dec 18 10:12:03 2019 TLS: Initial packet from [AF_INET]192.99.152.152:1194, sid=580c2d02 8fcff9b9

因此,這會在伺服器上引發:

Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS: Initial packet from [AF_INET]IPCLIENT:55713, sid=73a94d7c de9e850e
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 OpenSSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS_ERROR: BIO read tls_read_plaintext error
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 TLS Error: TLS handshake failed
Wed Dec 18 04:12:03 2019 IPCLIENT:55713 SIGUSR1[soft,tls-error] received, client-instance restarting

1分鐘後,客戶端:

Wed Dec 18 10:13:03 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 18 10:13:03 2019 TLS Error: TLS handshake failed

除非您真的需要特定的密碼,否則您可以註釋掉客戶端和伺服器配置中的ciphertls-cipher參數。

然後 OpenVPN 將使用標準的安全密碼集進行協商。

引用自:https://serverfault.com/questions/995993